[plt-scheme] Why do folks implement statically typed languages?
My experience teaching programmers suggests that they have no idea of
how to predict the performance of their programs, and thus there is a
natural bias against using such functions, even when there is no
performance issue.
Also, IMO, basic safety is so ... well ... basic that I believe the
unchecked versions shouldn't even exist (I'd be willing to have
versions without the runtime overhead if there are static guarantees
that they cannot fail, of course).
Robby
On 5/31/07, Grant Rettke <grettke at acm.org> wrote:
> > On May 31, 2007, at 11:46 AM, Noel Welsh wrote:
> >
> > > Just came across this:
> > >
> > > http://www.sans-ssi.org/top_three.pdf
> > >
> > > It lists the top 3 errors causing security holes. They are:
> > >
> > > 1. Using unvalidated user input.
> > > 2. Buffer overflow
> > > 3. "Handling integers incorrectly"
>
> Buffer overflows usually mean folks aren't thinking about the fact
> that other folks are sending malicious data (I'm not going to touch on
> the reasons for this). There are safe C functions that address this.
> For example:
>
> http://www.gratisoft.us/todd/papers/strlcpy.html
> _________________________________________________
> For list-related administrative tasks:
> http://list.cs.brown.edu/mailman/listinfo/plt-scheme
>